Security of quantum key distribution with discrete rotational symmetry 



in ■ 

o : 
o ■ 

3 : 

*so : 



> 

m 

l> 
o 
in 
o 

9 L,: 
^— > ■ 

G ■ 

s : 
cr 



Masato Koashi 

Division of Materials Physics, Graduate School of Engineering Science, 
Osaka University, 1-3 Machikaneyama, Toyonaka, Osaka 560-8531, Japan and 
CREST Photonic Quantum Information Project, 
4-1-8 Honmachi, Kawaguchi, Saitama 331-0012, Japan 

We prove the unconditional security of quantum key distribution protocols using attenuated laser 
pulses with M different linear polarizations. When M = 4, the proof covers the so-called SARG04 
protocol [V. Scarani et al., Phys. Rev. Lett. 92, 057901 (2004)], which uses exactly the same quantum 
communication as the Bennett-Brassard 1984 protocol. For a channel with transmission 77, we show 
that the key rate in SARG04 scales as 0(n 3 ^ 2 ). When we increase the number of states to M — 2k — 1 
or 2k, the key rate scaling improves as 0(rf k+x ^ k ). 

PACS numbers: 03.67.Dd 03.67.-a 



Information encoded on the polarization of a single 
photon is strongly affected by the law of quantum me- 
chanics, and can be used to grow a shared random bit 
sequence (secret key) between two remote parties with 
negligible leak to an eavesdropper. The first protocol of 
this quantum key distribution (QKD) was proposed by 
Bennett and Brassard and is called the BB84 proto- 
col. A practically important and rather surprising fact is 
that the QKD is still possible Q even if we encode the 
information on an attenuated laser pulse, which might 
be regarded as a classical object. One drawback in us- 
ing such a practical light source is the decrease of the 
efficiency when we take the channel loss into considera- 
tion UyJ. For a channel with transmission 77, the secure 
key rate in the BB84 protocol scales as 0(rj 2 ) instead 
of naively expected 0(rj) dependence. The reason of this 
poor performance is that whenever the sender Alice emits 
more than one photon, the eavesdropper Eve can keep 
extra photons without introducing any detectable error. 
In order to suppress this so-called photon number split- 
ting (PNS) attack, Alice must attenuate her laser pulse 
in proportion to 77. 

A number of possibilities have been studied to remedy 
this performance drop. One solution is to switch to a 
completely different protocol and implement the B92 pro- 
tocol with a strong phase-reference pulse as in its original 
proposal H . It was proved that this simple protocol us- 
ing laser light achieves the key rate of 0(r]) Another 
solution is to modify the quantum communication part 
of the BB84 protocol to detect the PNS attack. This can 
be done 7] by mixing the pulses (decoy states) with vari- 
ous amplitudes in the protocol, and it was proved || that 
the key rate of 0(rf) can be achieved with a large num- 
ber of decoy states. A third possibility is the so-called 
SARG04 protocol which modifies only the classical 
communication part of the BB84. Since the feasibility 
of the BB84 with attenuated laser pulses has been re- 
peatedly tested experimentally in the past decade, the 
SARG04 protocol has its unique practical importance. 
What we know about its security so far is the follow- 



ing. Tamaki and Lo have analyzed |ld| a protocol which 
is the SARG04 augmented with decoy states, and have 
shown that unconditionally secure key can be extracted 
from the two-photon emission part. For the unmodified 
SARG04 with its original spirit, Branciard et al. derived 
0(r] 3 / 2 ) dependence of the key rate assuming a limited 
set of individual attacks by Eve . 

In this paper, we prove the security of the SARG04 
protocol and its natural generalization to M-state proto- 
cols with no condition on the attack by an eavesdropper. 
We show a lower bound on the key rate in the SARG04 
protocol scaling as ~ arf' 2 , where a is a factor depend- 
ing on the bit error rate. For M(> 4) states, the expo- 
nent improves to 0{rf k+V) l k ) with k = \M/2\ , while the 
requirement for the bit error rate becomes severer as k 
increases. For the security proof, we use the 2 M- fold dis- 
crete rotational symmetry of the system to simplify the 
argument. For a light source with any photon- number 
distribution, the protocol can be reduced to an entangle- 
ment based protocol with Hilbert space 7i = C M ® C 2 . 
The whole space H. can be further divided into M qubits 
according to the angular momentum. Then we can use a 
standard analysis to obtain the security proof. 

We consider the following protocols specified by two 
integers (M, L) with 2L < M. Alice prepares system C 
in a linearly polarized, phase-randomized state of light, 
which is written as 

p(0) = ^ Mn |0,n>cc(0,n|, 



\6,n)c = 2- n l 2 {n\)- 1 ' 2 {e ie al l + e~ i9 a\) n \vac) 



c- 



where is the annihilation operator for a circularly po- 
larized photon with angular momentum k, and /j, n stands 
for the photon number distribution. The angle 6 is cho- 
sen from the set Q M = {nl/M : I = 0, . . . , M - 1}. Alice 
encodes her randomly chosen bit a in the following way. 
She chooses an integer j(0 < j < M — 1) randomly, and 
sends p(aQ + irj/M) to Bob, where 

9 = ttL/M. 
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The receiver Bob analyzes the polarization of the re- 
ceived light by a polarization beam splitter (PBS) fol- 
lowed by two photon detectors Di and D 2 - The whole 
analyzer is rotated by a randomly chosen angle 9' £ fi.w, 
such that the light in state p(9') would be directed to 
D\ and never to D 2 - We assume that the dark counts 
and the inefficiency of the detectors can be equivalently 
described by a noise source in the channel, and hence we 
treat them as ideal detectors. We say an event is 'de- 
tected' when D\ and D 2 register exactly one photon in 
total, implying that the incoming state is found in the 
two-dimensional Hilbert space Hs of a single photon. 
Bob announces when the event is detected, and records 
the rate % of detected events, which we call the detection 
rate. After Bob receives the light, Alice announces the 
value of j. Bob's measurement determines a conclusive 
value for his bit b only when (a) D± registers no pho- 
tons and D 2 registers one photon, and (b) the analyzer 
angle satisfies 9' = Q + nj/M (b = in this case) or 
9' = nj/M (b = 1). Let \k) B £ H B (k = 1,-1) be the 
state of a single photon with angular momentum k, and 
define \£s)b = (e i9 \ - 1)b 



< '"\l) B )/y/2. Conditioned 



on the value of j, the POVM elements B b 



events (b = 0, 1) are given by Bq 
>(i) 



for conclusive 

P(\^IJm)b)/M 

and B?' = P(\^ m ) B )/M, where = |-)<-|. Fi- 

nally, Bob announces whether the event has been con- 
clusive or not. 

It will be obvious that the (M, L) = (4, 2) protocol 
is essentially the BB84 protocol, in which the bit a is 
encoded to orthogonal states (9 = n/2). The SARG04 
corresponds to (4, 1) and the bit is encoded to nonorthog- 
onal states (0 = 7r/4), which is the crux of the protocol. 

The security proof begins with the introduction of a 
virtual system A with M-dimensional Hilbert space H.a- 
We take a basis {\2k) A}k=o,. ...m-i and assume that the 
state \2k) a has angular momentum 2k. Let us define 



fc=0 



\2(k mod M))a ® {^) W-x) \»ac)c 

and let pac = ^2 n PnP{\^n) Ac)- This state is invariant 
under the rotation of systems AC by discrete angles 9 £ 
51m- Let us define another orthonormal basis {|£e)yi}(0 £ 
fUr) by 



M-l 
-l/ 2 ^ , 

k=a 



-2ik6 



|2fc>, 



It is straightforward to see that a{£,8\pac\£,o) A = p{9) for 
9 G VL m- Therefore, it makes no difference if Alice pre- 
pares Pac, sends system C to Bob, and then determines 
(a,j) by a measurement with POVM A aJ = P(\£ 6 ) A )/2 
with 9 = a@ + Ttj /M just before the announcement of j. 



With this modification, every case in the detected 
events are regarded as an outcome of a measurement on 
TLa ® Wb. For example, conclusive events correspond to 



the operator R con = Y,j{ A o,j + A x,j) ® ( B o + B 
and the events with a bit error (a =/= b) to i?bit 



J2j( A o,j ® Bf + Aij ® B^). The summation over j 
implies that these operators are invariant under the dis- 
crete rotations SIm- Hence, these should take the form of 
where s k acts on the Hilbert space TL k spanned 
by |0) fe = \2k) A \l) B and |l) fe = |2(fc+l mod M)) A \-1) B , 
the states with total angular momentum 2k + 1 (mod 
2M). Let us introduce the identity l k and Pauli opera- 
tors X k = |0) fcfc <l| + |l)fe fc (0|, Z k = |0) fefe (0| - |l) fefc (l| for 
the qubit Ti k ■ Then, we can simply express the operators 
as 



M-1 



R con = M- 1 0(i fc -cos 2 9A > fe ), 

fe=0 
M-1 

R m = (2M)" 1 (i fc - X k ). (1) 



fe=0 



The next step is to describe Bob's measurement B^ as 
a filter followed by an ideal measurement on a qubit, as 
in the security proof of the B92 Consider a vir- 

tual qubit D with z basis {|0 z )d, |1z)d} and x basis 
{|0x>i3, \I x )d}, where \b x ) D = (\0 Z ) D + {-l) b \l z ) D )/V2. 
Define an operator : TCb -> by 



= VWM [sin(9/2) I l x )DB( Z (e+v)/2+vj/M I 

+ co S (e/2)\0 x ) DB { C e/2+nj/M \}. 

Since = F^\b z ) DD (b z \F^ holds, Bob's measure- 
ment can be regarded as the filtering process described 
by Kraus operator F^\ which tells whether the event 
is conclusive, followed by z-basis measurement on qubit 
D, which gives the bit value b. To prove the security, we 
are interested in what would happen if Bob measured the 
qubit on x basis, and how Alice could predict the out- 
come of that measurement. Bob's a;-basis measurement 
corresponds to the operator B 1 ^ = F^\b x ) DD {b x \F^ 
acting on H.B- In order to predict the outcome, Alice 
could measure {A' a ■} instead of {A a j}, where A' a _j = 
P{e itp \^ j/M )A - {~l) a e- l ^e + ^ /M )A)l^ Here is a 
parameter we can freely choose. Since Aqj + Aij — 
A' j + A'ij, this change of measurement does not af- 
fect the announcement of j. The "phase error" event 
where Alice's prediction fails (a ^ b) corresponds to the 



operator R ph = J2j A 'o,j ® • B i° ) + A \ 
is again rotationally invariant. After some algebra with 



B' {J \ which 
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<p' = <p + (6/2), we can express it as 

M-l 

k ^ = Wi ® ( cos2 ( fc0 + ^)(cos 2 ei fe -l fc ) 

k=0 

+ (l/2)sin2esin2(fce + (^')2'fc) + AW 2 - (2) 

The rest of the task is to consider how we can esti- 
mate the number of the phase errors from the actually 
observed quantities. For that purpose, we consider the 
real protocol and a virtual protocol, both of which look 
identical in Eve's point of view. Suppose that there are 
3N detected events for simplicity (The argument is the 
same for N + o(N) instead of 37V) . Alice and Bob ran- 
domly group these into three sets of N events. For the 
first one, Alice measures the angular momentum of sys- 
tem A in the virtual protocol. In the real protocol, she 
refrains from disclosing j and just discards the events. 
Let f2fc be the relative frequency (number of events di- 
vided by N) of the outcome 2k. For the second group, 
Alice and Bob together measure the bit error i?bit in ei- 
ther of the protocols. Let r err be its relative frequency. 
For the third group, from which they try to extract the 
key, Alice and Bob obtain r con N conclusive bits in the 
real protocol. Let r^N be the number of errors in these 
bits. In the virtual protocol, they measure i? p h and de- 
termine its relative frequency r p h. 

Thanks to the random grouping, rt,it = ''err in the 
limit of N — > oo (more precisely, for any eo > 0, the 
probability of |rbit — r er r| >_£iLis exponentially small in 
the limit). Further, as in [l2j, there must be a state 
p = © fe Pfc/5fc, where pu is a normalized density oper- 
ator acting on Tik, such that Tr[p|2fc) J 4 J 4(2fc|] = r2k, 
Tr[p^bit] = r-bit, Tr [p.R COI1 ] = r con , and Tr[pR ph ] = r ph . 
Let us write X k = Ti(pkXk) and X = J^kP^Xk- The 
quantity X can be determined from the observed value 
r orr or r con through the relations resulting from Eqs. 

2Mr hit =1 — X, Mr con = 1 - X cos 2 6. (3) 

Note that we can omit the measurement of r orr un- 
less 6 = 7r/2. Using Eq. (J2J and the relation X\ + 
Tr (pkZk) 2 < 1, we obtain 

r p h < + 7j-j^^Pkf2{ke+ v i){Xk), (4) 

k 

where 

fy(x) = cos</>(cos 2 6 — x) + i sin 26 1 sin0|\/l — x 2 . 

It is seen that if cos2(fc6 + <p') < 0, the phase error con- 
tribution from Tik is too high even if Xk = 1 (no bit 
errors). We thus should choose ip' such that the contri- 
bution from such "bad" subspaces is minimized. Finally, 



we derive an inequality from the fact that Eve cannot 
touch system A directly. Even though Eve may freely 
choose which events should be detected, {r2k} must still 
satisfy r 2k < T)d ^[PAcl^k) AA{2k\], which leads to 

Pk (l - y/l-X*) +p fc _i(l - sjl - Xl_{) 

< 2i 1 ^ 1 Ti[p AC \2k) AA {2k\], (5) 

where p_i = Pm-1- An upper bound f p h of r p h can 
thus be calculated from the observed quantities X and 
rid by taking the maximum of the rhs (right-hand side) 
of Eq. {3J over {p^, X^}, under the constraints of Eq. (JSJ 
and X = Y.kPk x k- 

Now the situation is summarized as follows. Alice and 
Bob have r con N conclusive bits with r er r-/V errors. Bob's 
bits can be regarded as outcomes of z-basis measurements 
on r con N qubits, and if he had measured those qubits on 
x-basis, Alice could have predicted the outcomes with at 
most r p hN errors. Then, by the argument in ^j|> we can 
extract an unconditionally secure secret key of length 

G N = iVr con [l - h(r eII /r con ) - h(f ph /r con )}, 

where h(x) = —xlog 2 x— (1 — x) log 2 (l — x). We can also 
derive the same key rate by assuming virtual qubits in 
Alice's side and invoking Shor-Preskill argument 

Using the general prescription derived above, here 
we concentrate on the most interesting case, the high 
channel-loss limit (77 — > 0) when Alice uses an attenu- 
ated laser source with mean photon number p, namely, 
p n = p n jn\. For a fair comparison of various pro- 
tocols, we assume that, in addition to the transmission 
7?, the channel applies a random rotation of polarization 
with probability e. This results in the observed quantities 
X = 1 — e and rj^ = pr\ in the limit 77 — )• 0. Let if be a pos- 
itive integer satisfying K <M — 2 and 2L(K - 1) < M, 
namely, cos(K — 1)6 > 0. We will show that by setting 
p = ("fr]) 1 / K , the key gain of 0(rj( K+1 ^ K ) is achievable 
in the high-loss limit 77 — s- 0, when e is small enough. 

Consider the limit 77 — s- with p = {^frf) 1 ^ . For k = 
K + 1, the rhs of Eq. 10 converges to (kJ, where = 
[2 K (K + l)!]" 1 is a constant. Hence, when K = M - 2, 
we have 

PM-i(l- yjl - XhZ)+PK(l- y/l - X 2 K ) < Cki. (6) 

When K < M — 3, either p k = or X k = holds for 
k = K +1, ■ ■ ■ , M— 1 since the rhs of Eq. JSJ) vanishes for 
k > K + 2. Therefore, Eq. © still holds, and the contri- 
butions from Hk+Ii 1 • • j Wm-2 is not significant. Cn the 
other hand, there are no bounds for Hq, ■ ■ ■ ,1~Ck-i- We 
thus choose ip' = —{K — 1)6/2, making these subspaces 
"good" ones. 

Let us divide X into two contributions as X = qX' + 
(1 — q)X" , where the first term is from Tlx and Hm—i, 
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FIG. 1: (a) Key gain G of SARG04 in the high channel loss 
limit r] — ► 0. (b) The same for the (5, 1) and the (6, 1) proto- 
col, (c) Threshold channel noise e for achieving 0(r] ( - K+1 ^ K ) 
scaling of the key gain. 



namely, q = pk +PM-1 and qX' 
Then, from Eq. ©, we have 



Pk Xk +pm-i Xm - i ■ 



q(l - y/1 - X' 2 ) < ( Kl , (7) 

and Eq. Q becomes 

M(2r ph - r con ) < qf (K+1)B {X') + (1 - q)f(X"), (8) 

where f(x) is defined as the boundary of the convex hull 
of the union of regions below f( K -i)ei x ), f(K-3)e{x), ■ ■ ■, 
(fe(x) or fo(x)). For the relevant case with small bit er- 
rors {x being close to 1), f(x) coincides with f(K-i)e( x )- 
Let 3(7, e) be the maximum of the rhs of Eq. (JHJ) over 
q,X',X" under Eq. and 1 - e = qX' + (1 - q)X" . 
The key gain G (per pulse) in the limit r/ — is given by 



1-h' ' ' 11 



20(e) 



max{0 'W } 



(9) 



where /3(e) = Mr c 



1 -cos 2 9(1 -e). Since 5(0, 0) 



/(if-i)e(l) < 0, the rhs of Eq. @ is positive for suffi- 
ciently small 7 and e. For a fixed M > A, K can be 
as large as [M/2] when L = 1. Hence, the key gain 
scales as 0(r] 3 / 2 ) in the SARG04 protocol. The gain 
after optimization over 7 is shown in Fig. ^a). When 
e = 0, the optimum intensity of Alice's source scales as 
fi - I.5I77 1 / 2 . While the (5,1) protocol and the (6,1) 
protocol both achieve 0(?7 5 / 4 ) scaling, the latter proto- 
col is better as shown in Fig. ^b). In addition, we can 
double the key gain of the protocols with even M by sepa- 
rately collecting and processing the events where D2 reg- 
isters no photons and D\ registers one photon. Fig.^c) 



shows the threshold noise e below which the key gain of 
0{rp K+1 '' K ) is achievable. It is seen that the require- 
ment for the noises becomes tighter as the exponent im- 
proves. This threshold depends only on and not on 
M, since the only dependence on M of the rate © is the 
M _1 factor. The threshold is highest for approximately 
6 - n/4(K - 1), which is achieved by the (4(K - 1), 1) 
protocol. 

In summary, we have proved the unconditional secu- 
rity of the SARG04 protocol and shown that the key 
gain scales as (3(?7 3 / 2 ). A natural generalization was 
given for the (M, L) protocols with M linearly polar- 
ized states. When the channel noise is low, the (M, 1) 
protocol can achieve the key gain of 0(r]( K+1 >' K ) with 
K = [M/2]. One might wonder why we do not achieve 
K = M — 2, which is the bound due to the USD (un- 
ambiguous state discrimination) attack [ToL Il5j . But 
K = [M/2] is indeed optimal, because there is an at- 
tack which is a kind of mixture of USD and PNS. For 
example, if Alice emits 4 photons in the (6, 1) protocol, 
Eve may apply a filter to the excess 3 photons to ob- 
tain state [e 3l6 '(a^ 1 ) 3 + e~ 3lB (a\) 3 ]\vac) with a nonzero 
probability. She sends the remaining one photon to Bob 
only when the filtering has been successful. It is then 
obvious that Eve can always determine the bit a after 
the announcement of j. It is not difficult to extend this 
attack to larger values of M . One possible way to avoid 
this kind of attack is to mix the protocols with different 
values of L, which is just a modification of the classical 
communication part. 

The author thanks N. Imoto and K. Tamaki for helpful 
discussions. This work was supported by a MEXT Grant- 
in- Aid for Young Scientists (B) 17740265. 
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